Q1PLG Attorney Docket No.: 529.0002- 10US 

WHAT IS CLAIMED: 

1. A method of operating an information appliance comprising: 
receive a logic request at an operating system; 

determine if a deception should be provided by the operating system; 
if yes, do one or more of: 

perform a deception action; 

provide a deception response; 

fulfill said logic request; 
if no fulfill the request normally. 

2. A method of operating an information appliance comprising: 
receive a logic request at an operating system; 

determine if communication with external logic is desired; 
if yes: 

using external logic, determine if deception will be performed by the operating 
system; 

using external logic, decide what deception is to be performed; 
perform a deception action; 
optionally provide a deception response; 
optionally fulfill said logic request action; 
if no: 

evaluate and fulfill said logic request. 

3. A computer program product for use in an information system comprising: 

a computer useable medium having computer readable program code embodied 

therein, said computer program product further comprising: 
computer readable program code enabling a loadable kernel module able to intercept 

system calls; 

wherein said kernel module, after intercepting a system call, grants, refuses to grant, or 
falsifies granting or refusing said system call depending on one or more parameters 
of a system call and/or an entity making said system call; and 
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wherein said kernel module, after intercepting a system call, returns either an accurate 
or an inaccurate response to said system call depending on one or more parameters 
of a system call and/or an entity making said system call. 

4. The computer program product of claim 3 further wherein: 

said kernel module comprising a control module and one or more decision modules. 

5. The computer program product of claim 3 further wherein: 

said kernel module can selectively return false responses in response to system calls. 

6. The computer program product of claim 3 further wherein: 

said kernel module can probabilistically return false responses in response to system 
calls. 

7. The computer program product of claim 3 further comprising: 

computer readable program code that when loaded into an appropriately configured 
information system provides a control mechanism able to identify, mark, and 
control deceptions provided in response to system calls. 

8. The computer program product of claim 3 further wherein: 
said kernel module intercepts all system calls. 

9. The computer program product of claim 3 further wherein: 
said kernel module intercepts one or more system calls analogous to: 

open(); 

read(); 

chdir(); 

stat64(); 

lstat64(); 

setuid(); 

setgid(); 

setgroups32(); 

getdents64(); 

write(); 

unlink(); 

rmdir(); 
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getuid32(); 

getgid32(); 

geteuid32(); 

getegid32(); 

getgroups32(); 

chmod(); 

rename(); 

mkdir(); 

delete_module(); or 
socketcall(). 

10. The computer program product of claim 3 further wherein: 

said control module intercepts four or more system calls analogous to: 

open(); 

read(); 

chdirQ; 

stat64(); 

lstat64(); 

setuid(); 

setgid(); 

setgroups32(); 

getdents64(); 

write(); 

unlink(); 

rmdir(); 

getuid32(); 

getgid32(); 

geteuid32(); 

getegid32(); 

getgroups32(); 

chmod(); 

rename(); 

mkdir(); 
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delete_module(); or 
socketcall(). 

1 1 The computer program product of claim 3 further comprising: 

a user space interface allowing changes in deception behavior to be made while said 
kernel module is inserted. 

12. The computer program product of claim 3 further comprising: 

a module able to simulate /proc filesystem type system call. 

13 The computer program product of claim 3 further wherein said control module 
can transparently cause deceived processes to access different storage and processing 
areas or systems during a system call. 

14 The computer program product of claim 3 further wherein said control module 
can hide module listings so that said control module does not appear when a Ismod type 
call is executed. 

15. An information processing system comprising logic processing apparatus and 

operating system central logic comprising: 

a caller identifier able to indicate calling entities for deception; 

one or more system calls able to set said caller identifier to mark a calling entity for 
deception; and 

one or more system calls able to read said caller identifier and able to provide 
deceptive responses and/or take deceptive actions when called by an entity marked 
for deception. 

16 The system of claim 15 further wherein: 

said one or more system calls are able to provide deceptive responses and/or take 
deceptive actions probabilistically. 

17 The system of claim 1 5 further wherein: 

said one or more system calls are able to provide deceptive responses and/or take 
deceptive actions selectively. 
18. The system of claim 15 further wherein: 
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said one or more system calls evaluate one or more system and/or user parameters in 
determining whether to or how to selectively provide deceptive responses or take 
deceptive actions. 

19. The system of claim 15 further comprising: 

5 a user space interface allowing changes in deception behavior of one or more system 

calls to be made during operation of said operating system central logic. 

20. A method of modifying operation of an information system comprising: 
initiating a requested operating system call; 

deciding among three or more possible responses to said system call; 
10 wherein said responses comprise an accurate or an inaccurate response to a system call; 

and 

wherein said responses further comprise granting, refusing to grant, or falsifying 
granting or refusing said system call. 

21. The method of claim 20 further wherein said responses further comprise 
15 modifying said system call request prior to executing said system call. 

22. The method of claim 20 further wherein said responses further comprise 
undetectably redirecting said system call to be performed in another information 
processing environment. 

23. The method of claim 20 further comprising: 
20 selectively returning false responses to system calls. 

24. The method of claim 20 further comprising: 
probabilistically returning false responses to system calls. 

25. The method of claim 20 further comprising: 

identifying, marking, and controlling deceptions provided in response to system calls 
25 through a user space interface. 

26. The method of claim 20 further comprising: 
intercepting all system calls by system call control logic. 

27. The method of claim 20 further comprising: 
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transparently changing deceived processes to access different storage and processing 
areas or systems during a system call. 

28. A method of defending an information processing system from possibly 
undesired operations comprising: 

5 initiating an operating system call; 

deciding among a set of possible responses to said system call; and 

wherein said set of possible responses comprises accurate and inaccurate responses. 

29. A method of defending an information processing system from intentional 
and/or unintentional destructive operations comprising: 

10 intercepting an operating system call; 

deciding among a set of possible responses to said system call; and 
wherein said set of possible responses comprises granting, refusing to grant, falsifying 
granting or refusing, and modifying execution of said system call. 

30. The method of claim 29 further wherein: 

15 said set of possible responses comprises performing a requested call in a different 

information processing environment. 

31. A method of enhancing security in an information processing comprising: 
modifying two or more system calls to identify entities for deception and/or provide 

deception functions; and 
20 providing deceptions from a system call to an entity identified for deception. 

32. A stored program product on a media that when loaded and executed in an 
appropriately configured computer device enables the device to perform the method of 
claim 20. 

33. A stored program product on a media that when loaded and executed in an 
25 appropriately configured computer device enables the device to embody the system of 

claim 3. 
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